General
-
Target
ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118
-
Size
1.1MB
-
Sample
240412-fzpzxsfe92
-
MD5
ef3767ef13fb990913bd5c1a6b3e096f
-
SHA1
9b06a00d3e5370a43e9e123235850263857f0270
-
SHA256
8f8da0486aaad7e72a762f3c66f64a960a6f6dacbc9f21fb3567a8c0b5be48de
-
SHA512
b2c5c8743ed94b03441404552fcf31d403344dd2546c1b72011b2053dc47b993b98d25c1635f73dfa199fc4fb180b3a3ff8a00cebeba27af1948aa058d1a167c
-
SSDEEP
12288:wIdgdMqoYBE5gTG2DQy2KibdJBA7gsh9NXsVWgCqGum80deaARreevyq4K6mf:UmdYmCq2DsnZJBAxN8JCqG380KhvVsQ
Static task
static1
Behavioral task
behavioral1
Sample
ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ayocj2018
Targets
-
-
Target
ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118
-
Size
1.1MB
-
MD5
ef3767ef13fb990913bd5c1a6b3e096f
-
SHA1
9b06a00d3e5370a43e9e123235850263857f0270
-
SHA256
8f8da0486aaad7e72a762f3c66f64a960a6f6dacbc9f21fb3567a8c0b5be48de
-
SHA512
b2c5c8743ed94b03441404552fcf31d403344dd2546c1b72011b2053dc47b993b98d25c1635f73dfa199fc4fb180b3a3ff8a00cebeba27af1948aa058d1a167c
-
SSDEEP
12288:wIdgdMqoYBE5gTG2DQy2KibdJBA7gsh9NXsVWgCqGum80deaARreevyq4K6mf:UmdYmCq2DsnZJBAxN8JCqG380KhvVsQ
-
Detect ZGRat V1
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-